cms icon indicating copy to clipboard operation
cms copied to clipboard
verified publisher icon statamic

Session timeout expiry does not always expire the session

Open martyf opened this issue 4 months ago • 2 comments

Bug description

Sometimes it does... but sometimes it doesn't.

Especially if the window is in focus during the timeout, I've noticed that the session can "expire" but then it doesn't actually really expire and renews. Like here it expires, asks for password, expires, then goes back to the CP with no user interaction at all - so it's not actually logged the user out.

https://github.com/user-attachments/assets/4e71f1d6-8c21-48ba-a2d3-ef8fbcc1c503

How to reproduce

  1. Statamic alpha 8
  2. Create a user (mine has two factor - not sure if that matters)
  3. Set SESSION_LIFETIME to 2
  4. Log in, and wait 1 minute - the timeout modal appears, then wait another minute, and it can sometimes automatically renew the session

Logs

Environment

Environment
Application Name: Statamic
Laravel Version: 12.29.0
PHP Version: 8.4.12
Composer Version: 2.8.11
Environment: local
Debug Mode: ENABLED
URL: 
Maintenance Mode: OFF
Timezone: Australia/Adelaide
Locale: en

Cache
Config: NOT CACHED
Events: NOT CACHED
Routes: NOT CACHED
Views: CACHED

Drivers
Broadcasting: log
Cache: file
Database: sqlite
Logs: stack / single
Mail: smtp
Queue: sync
Session: file

Storage
public/storage: LINKED

Statamic
Addons: 0
Sites: 1
Stache Watcher: Enabled (auto)
Static Caching: Disabled
Version: 6.0.0-alpha.8 PRO

Installation

Fresh statamic/statamic site via CLI

Additional details

No response

martyf avatar Sep 17 '25 22:09 martyf

Looks like this is how it works on v5 as well (the modal you're seeing is the new version of the red banner):

https://github.com/user-attachments/assets/e195a3bb-0415-478b-942b-505eea04126b

duncanmcclean avatar Sep 18 '25 10:09 duncanmcclean

That would mean this issue is applicable to both 5 and 6 then: when that password box appears, I should not be able to continue using the CP without the password.

But having it automatically keep you logged in for another session lifetime defeats the purpose of presenting the password box.

Either needs to actually log the user out, or stay on the password modal to allow the user to re-auth to re-extend the session: not automatically do it.

martyf avatar Sep 18 '25 23:09 martyf